From e97060d2f50212863f3ce93a2d15cb337f298dac Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 25 Jun 2024 19:54:09 -0600 Subject: [PATCH] Add schema for IBM Directory Server in LDIF format. GitHub issue #384 --- MANIFEST | 1 + README.LDAP.md | 13 ++++++- docs/schema.IBM_LDAP | 91 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 docs/schema.IBM_LDAP diff --git a/MANIFEST b/MANIFEST index a3f8ffbd1..c249fb9a4 100644 --- a/MANIFEST +++ b/MANIFEST @@ -32,6 +32,7 @@ docs/cvtsudoers.mdoc.in docs/fixman.sh docs/fixmdoc.sed docs/schema.ActiveDirectory +docs/schema.IBM_LDAP docs/schema.OpenLDAP docs/schema.iPlanet docs/schema.olcSudo diff --git a/README.LDAP.md b/README.LDAP.md index 7d3e97f6a..bccda62f5 100644 --- a/README.LDAP.md +++ b/README.LDAP.md @@ -96,8 +96,17 @@ copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif. On Solaris, schemas are stored in /var/Sun/mps/slapd-\`hostname\`/config/schema/. For Fedora Directory Server, they are stored in /etc/dirsrv/schema/. -After copying the schema file to the appropriate directory, restart -the LDAP server. +For IBM Directory Server, IBM Tivoli Directory Server, IBM Security +Directory Server, and IBM Security Verify Directory, the schema is +supplied in LDIF format. It can be installed using the ldapmodify +utility: + + # ldapmodify -c -f schema.IBM_LDAP -h ldapserver:port -w passwod \ + -D cn=Manager,dc=example,dc=com + +For schema files other than schema.olcSudo and schema.IBM_LDAP, you +will need to restart the LDAP server after copying the schema file +into place. Finally, using an LDAP browser/editor, enable indexing by editing the client profile to provide a Service Search Descriptor (SSD) for sudoers, diff --git a/docs/schema.IBM_LDAP b/docs/schema.IBM_LDAP new file mode 100644 index 000000000..43e1ecd66 --- /dev/null +++ b/docs/schema.IBM_LDAP @@ -0,0 +1,91 @@ +# +# sudoers schema for IBM Directory Server, also known as Tivoli Directory +# Server, IBM Security Directory Server, and IBM Security Verify Directory. +# +# To import: ldapmodify -c -D binddn -h host:port -w password -f schema.IBM_LDAP +# Substitute the correct values for binddn, host:port and password. +# +dn: cn=schema +changetype: modify +add: attributetypes +attributetypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +- +add: ibmattributetypes +ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.1 DBNAME( 'sudoUser' 'sudoUser' ) ACCESS-CLASS normal LENGTH 512 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +- +add: ibmattributetypes +ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.2 DBNAME( 'sudoHost' 'sudoHost' ) ACCESS-CLASS normal LENGTH 512 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +- +add: ibmattributetypes +ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.3 DBNAME( 'sudoCommand' 'sudoCommand' ) ACCESS-CLASS normal LENGTH 2048 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +- +add: ibmattributetypes +ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.4 DBNAME( 'sudoRunAs' 'sudoRunAs' ) ACCESS-CLASS normal LENGTH 512 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +- +add: ibmattributetypes +ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.5 DBNAME( 'sudoOption' 'sudoOption' ) ACCESS-CLASS normal LENGTH 512 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +- +add: ibmattributetypes +ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.6 DBNAME( 'sudoRunAsUser' 'sudoRunAsUser' ) ACCESS-CLASS normal LENGTH 512 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +- +add: ibmattributetypes +ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.7 DBNAME( 'sudoRunAsGroup' 'sudoRunAsGroup' ) ACCESS-CLASS normal LENGTH 512 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +- +add: ibmattributetypes +ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.8 DBNAME( 'sudoNotBefore' 'sudoNotBefore' ) ACCESS-CLASS normal LENGTH 512 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +- +add: ibmattributetypes +ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.9 DBNAME( 'sudoNotAfter' 'sudoNotAfter' ) ACCESS-CLASS normal LENGTH 512 ) + +dn: cn=schema +changetype: modify +add: attributetypes +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +- +add: ibmattributetypes +ibmattributetypes: ( 1.3.6.1.4.1.15953.9.1.10 DBNAME( 'sudoOrder' 'sudoOrder' ) ACCESS-CLASS normal ) + +dn: cn=schema +changetype: modify +add: objectClasses +objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) )